Gafgyt Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (494)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en414
ru66
sv4
es2
ja2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us236
sc184
li16
ru10
ca4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Mirai6
Bashlite4
Cobalt Strike3
Nanocore RAT3
RedLine Stealer2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined122
Content Management System48
Web Server24
Operating System22
Firewall Software18

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined118
Microsoft46
Apache22
Joomla20
Cisco14

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Joomla CMS20
Microsoft Windows20
Apache HTTP Server18
WordPress12
Microsoft Exchange Server10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable0.000002.41
2Zyxel ARMOR Z1/ARMOR Z2 CGI Program os command injection8.88.8$5k-$25k$5k-$25kNot DefinedNot Defined0.000530.00CVE-2021-4029
3spring-boot-actuator-logview LogViewEndpoint.view path traversal5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.000490.04CVE-2023-29986
4Apache HTTP Server response splitting5.35.1$5k-$25k$25k-$100kNot DefinedNot Defined0.000450.09CVE-2023-38709
5Joomla CMS com_actionslogs injection8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.016850.00CVE-2019-12765
6esoftpro Online Guestbook Pro ogp_show.php sql injection7.37.1$0-$5k$0-$5kHighUnavailable0.001350.07CVE-2010-4996
7Microsoft Windows Active Directory Federation Services ls server-side request forgery7.97.9$25k-$100k$25k-$100kNot DefinedNot Defined0.005190.02CVE-2018-16794
8CKFinder File Name unrestricted upload7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.001550.05CVE-2019-15862
9Joomla CMS Cache information disclosure6.46.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.003260.03CVE-2017-9933
10Joomla CMS CSRF Token cross site scripting5.24.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.005710.00CVE-2017-9934
11Jetty URI access control5.35.3$0-$5k$0-$5kNot DefinedOfficial Fix0.475550.00CVE-2021-34429
12Microsoft Windows SNMP GET Remote Code Execution7.37.0$25k-$100k$0-$5kNot DefinedOfficial Fix0.454480.04CVE-1999-0517
13GitLab Community Edition/Enterprise Edition Password Reset password recovery8.07.9$0-$5k$0-$5kHighOfficial Fix0.807160.45CVE-2023-7028
14Kyocera MFP Net View insufficiently protected credentials6.96.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.010110.04CVE-2022-1026
15WordPress sql injection6.86.7$5k-$25k$0-$5kNot DefinedOfficial Fix0.004670.04CVE-2022-21664
16SAP Knowledge Warehouse KW cross site scripting3.53.4$0-$5k$0-$5kNot DefinedOfficial Fix0.004250.05CVE-2021-42063
17portable SDK for UPnP unique_service_name memory corruption10.09.5$0-$5k$0-$5kHighOfficial Fix0.974140.05CVE-2012-5958
18Dropbear SSH input validation8.58.2$0-$5k$0-$5kNot DefinedOfficial Fix0.029110.10CVE-2016-7406
19Joomla CMS mod_latestactions cross site scripting5.24.9$5k-$25k$0-$5kNot DefinedOfficial Fix0.001030.00CVE-2020-24599
20Bitrix Site Manager Vote Module Remote Code Execution7.37.0$0-$5k$0-$5kNot DefinedOfficial Fix0.006680.04CVE-2022-27228

Campaigns (3)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (8)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
146.249.32.109reverse.hostingbb.comGafgytDDoS Ukraine02/25/2022verifiedHigh
2172.245.6.134172-245-6-134-host.colocrossing.comGafgyt02/25/2022verifiedHigh
3XXX.XX.XX.XXXxxx.xx.xx.xxx.xx.xxx.xxXxxxxxXxx-xxxx-xxxx / Xxx-xxxx-xxxx08/29/2021verifiedHigh
4XXX.XX.XX.XXXxxx.xx.xx.xxx.xx.xxx.xxXxxxxxXxx-xxxx-xxxx / Xxx-xxxx-xxxx08/29/2021verifiedHigh
5XXX.XXX.XXX.XXXXxxxxxXxx-xxxx-xxxx / Xxx-xxxx-xxxxx / Xxx-xxxx-xxxxx08/30/2021verifiedHigh
6XXX.XXX.XXX.Xxxxxxxxxxxxxxxx.xxxxXxxxxx02/25/2022verifiedHigh
7XXX.XXX.XX.XXXxxxxxXxxx Xxxxxxx02/25/2022verifiedHigh
8XXX.XXX.XXX.XXXxxxxxXxxx Xxxxxxx02/25/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (21)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22, CWE-23Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5T1068CAPEC-122CWE-264, CWE-266, CWE-269, CWE-284Execution with Unnecessary PrivilegespredictiveHigh
6TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
7TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
8TXXXXCAPEC-CWE-XXXXXxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxx Xxxxxxxx Xxxx Xx X Xxxxxxxx XxxxxxpredictiveHigh
9TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
10TXXXX.XXXCAPEC-492CWE-XXXXXxxxxxxxxxx Xxxxxxx Xxxxxxxxxx XxxxxxxxxxpredictiveHigh
11TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
12TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxx XxxxxxxxxxxxxpredictiveHigh
13TXXXXCAPEC-55CWE-XXX, CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh
14TXXXXCAPEC-37CWE-XXXXxxxxxxxx Xxxxxxx Xx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-154CWE-XXXXxxxxxxxxxxxpredictiveHigh
16TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
17TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
18TXXXXCAPEC-116CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
19TXXXXCAPEC-112CWE-XXX, CWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh
20TXXXX.XXXCAPEC-112CWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
21TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (129)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/adfs/lspredictiveMedium
2File/admin/sysmon.phppredictiveHigh
3File/api/content/posts/commentspredictiveHigh
4File/cimompredictiveLow
5File/debug/pprofpredictiveMedium
6File/forum/away.phppredictiveHigh
7File/Home/GetAttachmentpredictiveHigh
8File/LogoStore/search.phppredictiveHigh
9File/MIME/INBOX-MM-1/predictiveHigh
10File/modules/projects/vw_files.phppredictiveHigh
11File/sm/api/v1/firewall/zone/servicespredictiveHigh
12File/usr/bin/pkexecpredictiveHigh
13File/var/run/zabbixpredictiveHigh
14Fileadclick.phppredictiveMedium
15Filexxxxx/xxxxxx.xxxpredictiveHigh
16Filexxxxxxx.xxxpredictiveMedium
17Filexxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
18Filexxxx-xxxx.xpredictiveMedium
19Filexxxxxx.xxxpredictiveMedium
20Filexxxxxx/xxxxxxxxx/xxxxxxxx/xxxxxxxxxx/xxxxxx/xxxx/xxxx_xxxxxxxx/xxxxxx.xxpredictiveHigh
21Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
22Filexxx-xxx/xxxxxxx.xxpredictiveHigh
23Filexxx-xxx/xxxx_xxx.xxxpredictiveHigh
24Filexxxxxx.xpredictiveMedium
25Filexxxx/xxxxxxxxxxxxxxx.xxxpredictiveHigh
26Filexxxx/xxxxpredictiveMedium
27Filexxxxxx.xxxpredictiveMedium
28Filexxxxxx_xxx.xpredictiveMedium
29Filexxxxxxxxxxxxxx.xxpredictiveHigh
30Filexxxxxxxx.xxxxpredictiveHigh
31Filexxxxxxxxxx.xxxxpredictiveHigh
32Filexx/xxxxxxx/xxx.xpredictiveHigh
33Filexxx/xx/xxxx/xxxx.xxxxx.xxxpredictiveHigh
34Filexxxxxxx/xxxxxxx/xxxxxxxx.xxx.xxxpredictiveHigh
35Filexxxxx.xxxpredictiveMedium
36Filexxxxxxx.xxxpredictiveMedium
37Filexxxx_xxxxxxx.xxxxpredictiveHigh
38Filexxxxxx.xpredictiveMedium
39Filexxxxxxxx.xxxpredictiveMedium
40Filexxxxxx_x.xx.xpredictiveHigh
41Filexxxxxx.xxpredictiveMedium
42Filexxxxxxxxxxxx/xxx.xpredictiveHigh
43Filexxx_xxxxxxxxx.xpredictiveHigh
44Filexxxxxxx.xxxpredictiveMedium
45Filexxx_xxxx.xxxpredictiveMedium
46Filexxx_xxxxx_xxxx.xpredictiveHigh
47Filexxxxxxxxxxxxxx.xxxxxpredictiveHigh
48Filexxx_xxxx.xxxpredictiveMedium
49Filexxxxxxx.xxxpredictiveMedium
50Filexxxxxxx/xxxxpredictiveMedium
51Filexxx/xxxxx.xxxxpredictiveHigh
52Filexxxxxxx.xxxpredictiveMedium
53Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
54Filexxxxxxxx/xxx/xxxx_xxxxxxxxx/xxxx_xxxxxx_xxxxxxx/xxxx_xxxxxx_xxxxxxx.xxxpredictiveHigh
55Filexxxxxxxxxxxxxxxxxxxxx.xxxxpredictiveHigh
56Filexxxxxxxx.xxxpredictiveMedium
57Filexxxxxxxx_xxxxxxxxxxxx_xxxxxx.xxpredictiveHigh
58Filexxx_xxxxx_xxxxxxxxx.xpredictiveHigh
59Filexxxxxxxx/xxxx/xxxx.xxx?xxxxxx=xxxxxxxxxxxxxxxxpredictiveHigh
60Filexxxxx.xxxpredictiveMedium
61Filexxx/xxxx.xxpredictiveMedium
62Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
63Filexxxxxxxx/xxxxxxxxxxxx-xxxxxxxxxxpredictiveHigh
64Filexxxxxx/xxxxxxx/xxxxxx/xxxxxxxx.xxxpredictiveHigh
65Filexxxx.xxxpredictiveMedium
66Filexxxxx.xxxpredictiveMedium
67Filexxx.xxxpredictiveLow
68Filexxx xxxx xxxxxxxpredictiveHigh
69Filexx-xxxxx/xxxxx-xxxxxx.xxxpredictiveHigh
70Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
71Filexx-xxxxxxxx/xxxx.xxxpredictiveHigh
72Filexxxxxx.xxx?xxxxxx=xxxxxxxxx.xxxx&xxxxxxxxxxx=xpredictiveHigh
73Libraryxxx-xx-xxx-xxxx-xxxx-xx-x-x.xxxpredictiveHigh
74Libraryxxxx.xxxpredictiveMedium
75Argument-xpredictiveLow
76ArgumentxxxxxxpredictiveLow
77ArgumentxxxxxxxxxxxxxxpredictiveHigh
78ArgumentxxxxxxxpredictiveLow
79ArgumentxxxxxxpredictiveLow
80Argumentxxxxx$xxxxxxxxxxxxxx$xxxxxxxxxxxpredictiveHigh
81ArgumentxxxxxxxpredictiveLow
82Argumentxxxxxx/xxxxxxxpredictiveHigh
83Argumentxxxxxxxx[xxxx_xxx]predictiveHigh
84ArgumentxxxxxxpredictiveLow
85ArgumentxxxxxxpredictiveLow
86Argumentxxxxxxx[xx_xxx_xxxx]predictiveHigh
87ArgumentxxxxpredictiveLow
88Argumentxxxxxxxx xxxx/xxxxxxxx xxxxxxxx/xxxxxxxx xxxxxxx xx/xxxxxxx/xxxxpredictiveHigh
89ArgumentxxpredictiveLow
90ArgumentxxxxxxxxxxxpredictiveMedium
91Argumentxxxxxxx_xxxxpredictiveMedium
92ArgumentxxxxpredictiveLow
93ArgumentxxxxxpredictiveLow
94ArgumentxxxxxxxxpredictiveMedium
95ArgumentxxxxxxxxxxpredictiveMedium
96Argumentxxxx_xxx_xxxxxxxx_xxxpredictiveHigh
97ArgumentxxxxxxxxxxxxxxxxpredictiveHigh
98ArgumentxxxxxxxpredictiveLow
99ArgumentxxxxxxxxpredictiveMedium
100ArgumentxxxxxxxxpredictiveMedium
101ArgumentxxxxxxxxpredictiveMedium
102Argumentxxxx_xxpredictiveLow
103ArgumentxxpredictiveLow
104ArgumentxxxxxpredictiveLow
105Argumentxxxxx/xxxxxxxxpredictiveHigh
106ArgumentxxxxxpredictiveLow
107ArgumentxxxxxxpredictiveLow
108Argumentxxxxxx_xxxxxxpredictiveHigh
109Argumentxxxxxx_xxxxxxpredictiveHigh
110Argumentxxxxx_xxxxxx_xxxxxxxxpredictiveHigh
111ArgumentxxxpredictiveLow
112Argumentxx_xxx_xxxxxpredictiveMedium
113ArgumentxxxxxxxxxxxpredictiveMedium
114ArgumentxxxpredictiveLow
115Argumentxxxxxxxx/xxxxpredictiveHigh
116ArgumentxxxxxpredictiveLow
117Input Value../predictiveLow
118Input Valuex!x@x#x$x%xpredictiveMedium
119Input Valuexxxx' xxxxx xxx xxxxxx xxxxxx(xxxxxx('xxxxx','xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'),'xxxxx'),xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx,xxxx-- xxxx&xxxxxx=predictiveHigh
120Input Value\xpredictiveLow
121Patternxxxxxxx-xxxx|xx|predictiveHigh
122Pattern|xx|xx|xx|predictiveMedium
123Pattern|xx xx xx xx|predictiveHigh
124Network Portxxxx/xxxxpredictiveMedium
125Network Portxxx/xx (xxxx)predictiveHigh
126Network Portxxx/xxpredictiveLow
127Network Portxxx/xxxpredictiveLow
128Network Portxxx/xxxxpredictiveMedium
129Network Portxxx/xxxxpredictiveMedium

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Do you need the next level of professionalism?

Upgrade your account now!